GDPR four years later – How are businesses getting on?

The EU’s General Data Protection Regulation (GDPR) marks its fourth anniversary after coming into effect on 25th May 2018. Since then, it has paved the way for other data protection regulations, including the CCPA, and 1.6 billion euros of fines have been issued. 

While the UK has adopted its own version – UK GDPR, companies of all sizes continue to fall short of GDPR compliance due to data protection violations such as data breaches.  

Four years on, despite the record number of fines issued by the Information Commissioner’s Office (ICO) over the past financial year (2020/21) at £42m, organisations have taken complying with GDPR and other data protection regulations more seriously.  

Unfortunately, recently, the ICO fined facial recognition database firm Clearview AI £7.5 million for breaching UK data protection rules – which is still a significant reduction from its original fine of £17m in November 2021. The organisation was fined for developing an online database by collecting over 20 billion images of people’s faces and data from publicly available information sources on the internet and social media. It did not notify any of the individuals involved that their images were being collected or used in this way – which goes against data protection regulations. 

What’s the biggest challenge with GDPR? 

We spoke to our CTO, Jason Stirland, who highlighted, “the biggest challenge with GDPR remains that it’s not always fully understood by employees.  

“This is why regularly refreshing data protection training in all employees is crucial – no matter their level – as it ensures that every employee understands their GDPR obligations to protect themselves and the organisation.  

“Data breaches can happen for several reasons, and with employees being the most vulnerable resource, human errors will tend to occur. Be that as it may, reducing the likelihood of data breaches happening remains an organisational responsibility to train employees on cybersecurity awareness training – e.g., learning how to spot a phishing email and not sharing any personal or confidential information with third parties.” 

GDPR and the Great Resignation – Is there an impact? 

Jason revealed that the pandemic created pathways for significant people changes in organisations of all sizes, thanks to the Great Resignation.  

“With this in mind, organisations must remember to do their due diligence and ensure newer team members are provided with GDPR training to ensure compliance. It’s worrying how many organisations fail to consider this within the onboarding process, especially with many employees now joining companies on a remote working or hybrid basis – ensuring they can learn this from home will be vital.” 

If you’re looking to reduce GDPR training gaps within the onboarding process or improve GDPR compliance overall in employees, then take a look at our data protection courses and get in touch with us today for a free demo

Now Available – New Data Protection Collection

Check out our brand-new Data Protection Collection – the third Compliance Collection we launched this year. An innovative new approach for keeping awareness training programmes fresh, year on year.

Mitigating the Risks of Data Breaches

Last month, British Airways was fined £20M over a data breach that took place in 2018. While Marriott Hotels was fined for £18.4M for a cyberattack and resulting data breach between 2014 and 2018.

Data breaches and the resulting lapses in compliance with regulations can have a devastating impact on businesses – from a severe financial penalty to loss of customer trust and reputation. It is more important than ever to consider compliance with data protection regulations and incorporating a ‘privacy by design’ policy when it comes to processing data for business.

Awareness training is key in educating employees on the importance of data protection, the regulations that they must comply with, the rights of individuals whose data they process and mitigating the risks of data breaches.

New Data Protection Collection

Create a cost-effective bespoke training solution using our off-the-shelf products. Our Data Protection Collection offers a holistic solution covering a range of learning styles – combining detailed study, immersive learning, microlearning and toolbox talks to keep learners engaged. Also included for free are a number of communications resources which can be printed out or displayed in the workplace digitally to reinforce key messaging.

By rolling out effective learning interventions over a number of years and targeted messaging, our Collection can help boost learner engagement, promote knowledge retention and embed a culture of compliance.

Collections are designed to offer a highly flexible, easily scalable, and agile alternative to traditional online learning.

What’s New?

Detailed Study

We updated our detailed study courses to ensure that best practices on data protection are relevant for all organisations. The updated courses introduce and raise awareness on the importance of data protection regulations, including the difference between types of data, individual rights under data protection regulation and the eight principles of data protection.

Immersive Learning

We updated our immersive learning course on Preventing a Data Breach. The new course is scenario-based and highly gamified – placing the learner at the heart of the experience and testing them on their ability to make the right decisions on data protection. Raise awareness on the consequences of data breaches and the best practice to follow when handling personal data.

Diagnostic Assessment

Introducing a comprehensive diagnostic assessment that creates learning paths based on each learners’ knowledge and awareness levels. Learning paths for each topic are then designed in direct response to the needs and knowledge-gaps identified for each employee or team.

The new Diagnostic Assessment is a short quiz to measure the learner’s understanding of data protection and automatically create enrolments onto relevant core Take 5 courses. The assessment is useful for assessing individual training needs, offering valuable insight into common training gaps with targeted interventions tailored for each employee.

The Diagnostic Assessment is exclusively available for xAPI courses, utilising the auto-enrol functionality powered by our Astute LXP’s AI engine.

Microlearning

In addition to updating all of our existing microlearning courses, following are the new additions to the Collection:

Toolbox Talks

Two new Toolbox Talks designed as blended training courses for small groups or teams. Each Toolbox Talk includes downloadable facilitation notes.

Get a sneak peek at all the new courses on our Data Protection topic page or request a FREE demo. For more information on the new collection, download the Compliance Collections brochure for Data Protection.

Contact Tracing: Complying with Data Protection Regulation

As businesses prepare to open up on 4 July, following the easing of lockdown restrictions, they are expected to have robust measures in place to curb the spread of COVID19, including contact tracing. Collecting personal data as part of contact tracing is expected to create a data privacy minefield for some. So how can businesses navigate this minefield?

What is Contact Tracing?

Contact tracing, supported by the NHS Test and Trace service, is a vital strategy in the fight against COVID19. It can help curb the spread of COVID19 by tracing those who are showing symptoms of COVID19 as well as those who may have come into contact with the infected and risk of becoming carriers. Contact tracing requires the collection and sharing of personal data, affecting most businesses with face-to-face customers or visitors, including hospitality, leisure and retail sectors.

Some businesses may already have systems and processes in place to collect personal data. However, for some small businesses, it will be an entirely new experience. Both will need to comply with data protection regulations while employing contact tracing.

Key Data Protection Requirements

Here is a refresher on the data protection requirements for businesses in the UK.

Data protection regulation in the UK

The UK data protection regime is set out in the DPA 2018, along with the GDPR (which also forms part of UK law). The DPA 2018 sets out the framework for data protection law in the UK. It updated and replaced the Data Protection Act 1998 and came into effect on 25 May 2018. It sits alongside the General Data Protection Regulation (GDPR) and tailors how the GDPR applies in the UK.

The Regulator

The Information Commissioner’s Office (ICO) maintains and enforces data protection regulation across the UK, including the GDPR. Awareness and understanding of data protection requirements are essential for businesses looking to prevent data breaches.

Lawful basis for the processing of personal data

Under the GDPR, acceptable reasons for the lawful basis for the processing of personal data are consent, contract, legal obligation, vital interests, public task and legitimate interests. Data collection for contact tracing is expected to be classed as a public task – a specific task in the public interest that is set out in the law.

Six Tips on Collecting Data for Contact Tracing

So how can businesses ensure that they are fulfilling the requirements for contact tracing but also complying with data protection regulations? Here are six helpful tips on collecting data for contact tracing.

1. Keep the process transparent: Assure your customers on why you are collecting data and how the data helps with contact tracing.

2. Only collect the data you need: For contact tracing purposes, customers only need to provide details such as name, phone number and email address.

3. Keep the data secure: Invest in a secure data collection method or system to make sure the data you have collected is stored away safely.

4. Be clear on retention policy: Government guidance requires businesses to keep a temporary record of customers and visitors for 21 days only.

5. Use the data only for the purpose collected: Personal data collected as part of contact tracing cannot be used for any other purposes such as marketing unless stated explicitly and consent has been given for it.

6. Don’t forget to delete the data: Any personal data must be securely discarded after 21 days.

Contact tracing or not, compliance with the data protection regulation is a vital requirement for most businesses. To mitigate the risks of compliance breaches, always follow best practice around data collection, perform regular audits of policies and processes, and continually review staff readiness.

Helpful resources:

COVID-19 secure guidance for employers, employees and the self-employed

NHS Test and Trace

Improving the Education Around Online Scams

Online safety is something we’re constantly telling kids – don’t speak to people you don’t know, don’t open any dodgy looking emails, and don’t give out personal details. This is all well and good, but online scammers are still finding victims to get money out of every day.

Whilst the younger generation are growing up with internet security being drilling into them to create a tech-savvy attitude, the older generations seem to be have been forgotten, and because of this they become the ones that are more regularly the victims of online crime.

Anyone can be a victim of online crime, with it being estimated that around £10 billion is lost every year in the UK alone because of cyber scams. Age UK reported that 43% of older people believe they have been a target for scammers.

The very fact that older people are more likely to live alone is a point that fraudsters look out for because it is a potentially lonely and vulnerable victim that they can take advantage of.

Scams can come through a number of sources: face-to-face doorstep conversations, over the phone, through the post, and on the internet – so now more than ever we need to know how to protect ourselves.

Angela Ramsay is a perfect example of how fraudsters targeted someone out of touch with technology and unaware scamming techniques.

“I was a 57-year-old lady living alone and was very happy in my new home. I loved my job and was financially secure after being left some money in a will from a lifelong friend. I had a lovely new man in my life, all was perfect. Then I was scammed.”

What happened

Angela was called at work from a number claiming to be Nationwide’s fraud team, when she checked the number that had rung, it matched up with a number listed online as Nationwide, so she thought everything was fine.

When they rung her back later on, they told her someone was attacking her account in the West Midlands. When she questioned their legitimacy, they reassured her that they were the number listed on the back of her bank card. She then got an email which began the process of them taking her money. They told her they were moving it to safe accounts.

The next morning, she rung the number that had called her, which put her through to Nationwide, she wanted to check everything was okay. They didn’t know what she was talking about.

“I broke down and screamed. I didn’t know what to do. I was feeling sick, a fool, ashamed and very depressed.”

After 3 months of persistent phone calls and questions, Angela managed to retrieve £53,000, leaving scammers with £14,000.

“I know I was very lucky to get that back, but I had to fight for it.”

Improving education on scamming

Angela admitted that she knew nothing about scammers and the techniques they used, and this is where the problem lies.

Education around scamming and online fraud needs improving, because although there is plenty of material online, not everyone has internet access, and as a result, it tends to be those people that are the easiest targets.

Increasing the production of physical material in branches to educate people on scams means that more people can be aware of the warning signs and stop things like this happening.

What are the warning signs?

It can be hard to spot a scam but following these steps could prevent you becoming the next victim of this modern crime.

It is out of the blue?

If a company calls you randomly, make sure you verify who you are talking to before giving them any information. Ask them to give you details that only that company would know. If you’re not convinced, then hang up and call the company directly. It is always better to be over cautious.

Too good to be true?

This is very simple, if it sounds too good to be true, it probably is

Personal details

Phone scammers work by getting personal information from you. No matter how small the detail is, it could be exactly what they need to steal your identity and go on to steal your money. Never share personal details with someone that can’t verify who they are.

Feeling hurried?

If a company is putting a time pressure on you to make a decision, that is when alarm bells need to be ringing. Anyone that tries to rush you should not be trusted.

Being the victim of a scam has a massive effect on your life, financially and emotionally. Following these simple steps and improving the education around scamming can stop people becoming victims of these cyber criminals.

This article is written by guest author India Wentworth [email protected]

Data Privacy Day 2020 – Tips on Keeping Your Data Safe and Secure

Happy Data Privacy Day! Created by the Council of Europe in 2006, Data Protection Day is celebrated every year to promote data protection best practices and raise awareness on the importance of data privacy. Globally, it is recognized as Data Privacy Day.

For businesses, data is a valuable entity and it is therefore vital to protect it for ensuring business continuity and compliance with the regulation. In the spirit of data privacy and all things data protection, we share with you some useful tips for keeping your business data safe and secure this year.

Ensuring Compliance in Artificial Intelligence (AI)

Nearly all AI-based products and services rely on the collection of large amounts of data, including personal data, to understand user behaviour and make intelligent decisions. Data is therefore vital in powering AI, but it also poses new challenges for data privacy. In December 2018, an Amazon customer in Germany was mistakenly sent about 1,700 audio files from someone else’s Amazon Echo device – a mistake attributed to human error. In July last year, it was reported that Amazon responded to a letter sent by a US Senator confirming that it maintained Alexa recordings indefinitely (unless a user manually comes in and deletes them).

Incidents such as this highlight the importance of data protection and ensuring compliance in AI.

Legislation in Europe and the US is picking up momentum with the European Commission looking to implement an “appropriate” ethical and legal framework for the development of AI aimed at boosting innovation while making individuals’ rights a priority.

A piloting phase which ran until December 2019 was based on draft Ethics guidelines describing trustworthy AI as:

  • lawful – respecting all applicable laws and regulations
  • ethical – respecting ethical principles and values
  • robust – both from a technical perspective while taking into account its social environment

The General Data Protection Regulation (GDPR) includes ‘privacy by design’, encouraging businesses to develop products with built-in privacy standards from the start. This will certainly hold for AI-driven technology and products which will need to factor in privacy and consent.

Recognizing GDPR as an Opportunity

Speaking of the GDPR, it has been over a year and a half since the regulation came into force and it continues to drive the way businesses collect and use customer data. More customers are also becoming wary about how their personal data is collected and used for business purposes.

For businesses, GDPR is no longer just about compliance, there is also a tremendous business opportunity in a data-driven economy. In a world brimming with data, businesses can stand out by leveraging GDPR best practice to maintain up-to-date data lists and boost their reputation as a responsible, reliable partner and committed to deepening digital trust with its customer base.

Remember to:

  • Audit your data periodically – Ensure that your customer data is up-to-date and your customers are engaged with your business.
  • Implement a strict retention policy – If you are holding data on customers who haven’t engaged with you in a while, maybe it’s time to review if you need that data. You can erase or anonymize the data you no longer need.
  • Aim for ‘privacy by design’ – Make sure you have performed a Data Protection Impact Assessment (DPIA) to identify and reduce the data protection risks your business could face and allow members of staff to fix any problems before a breach occurs.
  • Review your privacy policy – Ensure that your privacy policy clearly states your business identity, how long you intend to use your customer data, your legal basis for processing data, any data retention periods and the customers the right to complain to the ICO.

Evaluating Your Password Policy

2019 survey by the National Cyber Security Centre (NCSC) found that “12345” and “password” remain amongst the top five common passwords accessed in global breaches. Liverpool was the most common Premier League football team used in passwords, with Superman the most popular fictional character.

Making good password choices is vital for protecting individual and professional business data. For businesses, this means continually reviewing and enforcing robust password policy.

Key ingredients of a comprehensive password policy:

  • Reset Password – Passwords must be reset every set number of days to ensure users are changing passwords periodically.
  • Password history – Discourage users from recycling the same password again with a minimum of 10 previous passwords remembered.
  • Maximum password age – Determine how long users can keep their password before they have to change it, forcing users to change their passwords regularly.
  • Password complexity – Rules to ensure users aren’t using their first or last name as password, as well as using a mix of character types such as lower case, upper case, numbers, and symbols.

Staying Safe Online

Social engineering continues to pose one of the biggest security risks to businesses. Cybercriminals often target employees using deception with the intent of gaining confidential information for fraudulent purposes. These techniques include phishing and baiting and could also include links to fake website pages, emails from doctored addresses, or communications that appear to come from government or official sources.

Social engineering also works on manipulation in the digital world, profiling, and misuse of personal information.

Steps to take to protect your business from social engineering:

  • Regularly update your company antivirus software.
  • Secure your business network with a robust firewall.
  • Make sure employees are aware of responding to an email from unknown persons especially those containing links or attachments.
  • Train employees to recognize doctored email addresses from fraudulent sources.
  • Make sure employees never give out financial or sensitive information over the phone or electronically without encryption.

Mitigating the Risks of Human Error

report by Kaspersky Lab revealed that about 90% of data breaches are caused by human error.

Many businesses suffer data breaches because their employees inadvertently created an entry-point to the systems, whether it is from opening unsafe email attachments or clicking on suspicious website links to downloading unsafe files.

Cybercriminals count on human flaws to circumvent the most robust security software. It all comes down to a lack of awareness which can put your employees at risk of making errors in judgment, resulting in data and security breaches, company downtime, or financial loss.

Invest in Awareness Training

Investing in a thorough employee training program is a vital ingredient in any organization’s data protection policy. Raising awareness ensures that employees understand the regulatory obligations for businesses and understand the implications of non-compliance. Realizing the value of sensitive information if breached can also help employees to act with caution and make the right decisions to keep business data safe and protected.

Make sure your employee training program includes a comprehensive overview of key topics such as data protection, GDPR, and information security. We also recommend keeping employees up to date with microlearning courses for refreshing and reinforcing key learning messages over time.

How Can We Help?

At DeltaNet International, we are firm believers in leveraging the power of awareness training to reduce the impact of human error. Without raising awareness, you may be putting your business at risk of non-compliance with data protection and privacy laws. Don’t get caught out by the regulators, invest in awareness training for your staff. Find out how we can help with our range of Data Protection Online Training.

British Airways and Marriott Facing Record GDPR Fines

British Airways and Marriott Facing Record GDPR Fines

The ‘world’s favourite airline’ and the largest hotel chain both reported huge data breaches in recent times, affecting millions of records. After investigations by the Information Commissioner’s Office (ICO), British Airways and Marriott International are both facing record fines for data breaches under the General Data Protection Regulation (GDPR).

Marriott

In November 2018, the Marriott International group of hotels reported a massive breach to the ICO. It relates to a cyber incident involving the unauthorised access of the Starwood hotels group systems in 2014. Marriott subsequently acquired the Starwood Group, however, the breach wasn’t discovered or reported until 2018.

As a result, the personal data of approximately 339 million guests globally was compromised. Of which around 30 million related to residents of 31 countries in the European Economic Area (EEA); around seven million related to UK residents.

After an extensive investigation, on 9 July 2019, the ICO issued a notice of its intention to fine Marriott in excess of £99M under the GDPR. While Marriott International has co-operated with the ICO investigation and since the data breach was reported, have made improvements to its security arrangements. However, the ICO’s contention is that Marriott had failed to perform due diligence when it acquired the Starwood Group and should have made sufficient checks to ensure their IT systems were secure.

In a statement, Marriott have revealed that they intend to appeal the fine and defend their position.

British Airways

The ‘world’s favourite airline’, on the other hand, is facing a record fine of £183M for breaches of data protection law. The proposed fine relates to a cyber incident in June 2018 when 500,000 customers browsing the British Airways website and booking tickets online were being directed to a fraudulent website. Their personal data, including name, address, login, payment card and travel booking details, were then harvested by the cyber attackers.

As per the investigation by the ICO, personal data of approximately 500,000 customers were compromised in this cyber incident, including login, payment card, and travel booking details as well name and address information.

In a statement, British Airways apologised to customers, expressed disappointment and revealed the intention to appeal.

Fines Issued in 2018

The ICO are simply reaffirming their commitment to the GDPR by disclosing the details of its fines and investigations to the public. Since the GDPR came into effect on 25 May 2018, a number of high-profile data breaches have come to light. The ICO issued some of the biggest fines last year including fines for the Crown Prosecution Service (CPS), Equifax UK, Uber, Facebook and Bounty.

With the ICO adopting a tough stance and walking the talk, businesses must bear in mind the very expensive consequences as a result of data breaches.

Is Your Business Prepared?

What we have learnt from these recent breaches is that the GDPR goes beyond ‘consent’ and data privacy issues. Both the breaches at British Airways and Marriott were a result of IT or web systems failures and hackers gaining unauthorised access.

A quick recap of what any form of data breach under GDPR could cost your business: the ICO can issue a fine of up to 4% of a company’s global annual revenue for a breach under the GDPR. For British Airways, the ICO fine comes up to 1.5% of global turnover for the year, while for Marriott, it’s 3% of the company’s global revenue.

Mitigate the risks of a hefty fine and ensure that your business is prepared to combat the lapses in cyber security. Investing in cyber security and information security is key to keeping the hackers out. Keeping your systems secure and up to date is the first step and one of the most effective weapons against cyber-attacks.

Not forgetting the importance of awareness training for your workforce. Are your staff engaged to spot the signs of an intended cyber-attack and understand the implications? By training your employees on the various aspects of cyber security and GDPR, and the risks they face, businesses can keep the hackers out and prevent costly breaches under the GDPR.

How Can We Help

Our FREE download on Handling a Data Breach offers practical tips for reducing the risk of a breach, including a checklist for managing and reporting data breaches should your data be compromised.

We can also support your business with a wide range of eLearning solutions dedicated to cyber security and GDPR. Our eLearning can be delivered as off-the-shelf packages, or we can customise the content to suit your organisation. To find out more, check out our great value Compliance package.

Free Download: Handling a Data Breach

Could your organisation handle a data breach?

Whilst it’s imperative for organisations to do all they can to prevent a data breach and protect the rights of individuals, many are unprepared to manage a personal data breach should the worst happen. This can cause further damage to finances and reputation and even lead to further breaches.

To help get the conversation started, download our FREE eGuide, Handling a Data Breach.

As well practical tips for reducing the risk of a breach, this handy booklet also includes a checklist for managing and reporting data breaches should your data be compromised.

DOWNLOAD YOUR PDF COPY BY CLICKING THE LINK BELOW.

(For media enquiries or to share this eGuide on your website please contact [email protected])

What does the Massive Marriott Data Breach mean for Data Security?

The Marriott hotel group recently reported a huge data breach, which they claim has been ongoing since 2014.

The company identified the breach after an internal security tool alerted them to an unauthorised access attempt. After investigating the breach, they discovered that an unknown agent had copied and encrypted information in one of their databases of guest information.

The Starwood group of hotels, which includes St Regis, Sheraton and Westin, was bought by Marriott International in 2015, making it the world’s largest hotel chain.

Their vast customer base seems to have been an attraction for hackers, who are believed to have accessed and copied 500 million records. 327 million of those records include names, phone numbers, email addresses, passport numbers and dates of birth.

This makes the Marriott breach the second largest in history, though it lags far behind the Yahoo breach which affected 3 billion users.

How did hackers breach Marriott security?

The New York Times reports that a US government investigation into the breach indicates that Chinese state hackers were responsible, though no details have been released regarding the tactics used.

Are you affected by the Marriott Starwood data breach?

If you have stayed at any of the Starwood group hotels, you are advised to change your passwords and understand that your data (name, payment details, address, phone numbers etc.) could be passed on to cybercriminals.

This kind of customer data is frequently used to facilitate fraud. For example, a fraudster might use the information they have to pretend to represent your bank, or your mobile phone provider, so that you hand over access codes, payment information – or simply validate the information they already have.

How can companies prevent customer data breaches?

When even the largest companies in the world – and the most tech savvy – seem incapable of protecting customer data, what can smaller companies and SMEs do to fight back against the constant threats from hackers?

Keep up. As quickly as companies deploy new security standards, hackers are working on a way to crack it. Just as companies ditch insecure technologies, hackers are engineering a back-door to the new solutions. And just as companies teach their employees about popular social engineering techniques, hackers are already moving on to new tactics.

It’s very difficult for large organisations, with their policies, teams and ways of doing business, to outfox cyber criminals who work alone (or in small groups), share information freely and have no compulsion to follow any rule or law.

In spite of this, it’s important that companies try to stay up to date with changing threats.

Prioritise security. One theory about the Marriott hack is that senior executives did not prioritise data security during the acquisition of the Starwood group, leading to weaknesses in the databases or connections between systems, which may have been exploited by hackers.

Data security should be a C-level issue. Security should be driven from the very top, and prioritised in all activities.

Test. When was the last time you tested your network and systems to ensure they can’t be accessed by third parties? Penetration testing might help you identify weaknesses in your security and prioritise fixes.

Raise awareness.As we’ve discussed on this blog before, digital security is a company-wide issue, and every employee is a gatekeeper to your customer data, networks, systems and intellectual property. Employees often provide the gateway for hackers, either deliberately or accidentally, so it makes sense to invest in employee training.

Is your company vulnerable to data breaches?

VinciWorks provides a suite of eLearning solutions, including courses on data protection, cyber security and GDPR. You can either choose our solutions as off-the-shelf courses, or you can adapt them to suit your organisation’s needs with our Adapt authoring tool (or we can manage this for you).

The Biggest Data Breaches in 2018 – and what they Teach us about Data Security

Every week we get news of another massive data breach. While some commentators are suggesting that this is the new normal, and that data leaks and hacks are an inevitable part of our connected world, it’s worth looking at the largest data breaches to see what they have in common – and what they can teach us about data security for 2019.

1: Aadhaar (1.1 billion)

Who?

India’s national personal identity card system contains information on Indian residents, including biometric data, names and information on connected services, such as bank accounts.

How?

A state-owned utility company called Indane was tapping into the Aadhaar database using an unsecured API. Hackers cracked the API and gained access to more than a billion records.

2: Marriott Starwood (500 million)

Who?

Marriott is the world’s largest hotel chain. Their Starwood brand operates a rewards scheme, and this database was accessed by hackers. While the breach was reported in 2018, it is believed to be a long-running data leak, stretching back to 2014.

How?

While details of the hack have not been released, the US government has laid the blame at the door of Chinese state hackers.

3: Exactis (340 million)

Who?

Exactis is a marketing and data aggregation firm. They hold comprehensive data on most US citizens, including information about preferences, interests and family connections.

How?

Exactis was storing more than 2 terabytes of personal data on a publicly accessible server. The exposed data was detected by a security researcher, who notified the FBI and Exactis, who have since protected the database. The researcher found the open database by using a scanning tool to find unshielded ElasticSearch instances.

4: MyFitnessPal (150 million)

Who?

MyFitnessPal is a fitness and diet-tracking app owned by Under Armour, the athletic clothing company.

How?

Details are lacking. The company has only said that an unauthorised person accessed data. While some user passwords were stolen in the hack, they were encrypted with a hashing function called bcrypt, which means the information is protected.

5: Quora (100 million)

Who?

Quora is a hugely popular question-and-answer site, with millions of active users.

How?

The company has not released details yet, and have only stated that an unauthorised person accessed user records. Quora also stated that they are engaging a forensic technologist to help them trace the cause of the breach and prevent future hacks.

6: MyHeritage (92 million)

Who?

MyHeritage is an online genealogy and DNA testing service.

How?

They don’t know. One of the firm’s security team found a trove of MyHeritage data on an external server. The database includes 92 million records, including names, email addresses and hashed passwords. MyHeritage has engaged an external security consultant to identify the source of the breach.

7: Cambridge Analytica (87 million)

Who?

A Facebook game called ThisIsYourDigitalLife passed user data to several third parties, including Cambridge Analytica, a data analytics company that worked with the Trump presidential campaign to target ads to swing voters.

How?

Because of Facebook permission settings at the time, the game allowed the developer to harvest information on their users, and their users’ friends and contacts. This meant that only 270,000 people installed the app, but the developer was able to pass data on millions of people to Cambridge Analytica.

8: Google+ (52 million)

Who?

Google+ is a social network. In March, Google announced that some Google+ app developers had accidentally been given access to user data. In December, Google announced that a second data breach, which they may have tried to hide, affected 52.5 million users.

How?

The Google+ hack seems to have been caused by a glitch that made user profile information available to app developers. Google is now planning to close their social network.

9: Chegg (40 million)

Who?

Chegg is an online store offering textbooks, tutors and online study support.

How?

An unauthorised third party was able to access a company database that included customer data for Chegg and some of their other brands.

10: Facebook (29 million)

Who?

The world’s largest social network was hacked, exposing sensitive user data including contact information, searches and usage history.

How?

Hackers exploited vulnerabilities in Facebook’s code to get access tokens, which then gave them full access to users’ details.

How can you avoid a data breach?

There are a few patterns in the top 10 data breaches of 2018:

Weak software. Many of these breaches were caused by vulnerabilities or weaknesses in the systems used.

Glitches. Hackers have a keen eye for glitches in software that have unintended consequences. These are ruthlessly exploited to access data that is usually hidden.

Mystery losses. A worrying trend from the top 10 is the number of ‘unknowns’. At the time of reporting, a number of companies have been unable to confirm how the hack was perpetrated.

The main lesson to learn from these examples is that hackers are creative and flexible, and that data leaks from organisations in many different ways.

Internal agents, external criminals, weak software, outdated software connections and APIs, weak passwords, clumsy security practices, social engineering – these are all common components of data breaches.

This suggests that organisations have a lot of work to do to protect every corner of their castle. Hackers look for weak spots in many different areas, and so organisations must address every aspect of their security: software, hardware, people, processes and culture.